Differences

This shows you the differences between two versions of the page.

--- networking:mikrotik:hairpin_nat [2021/05/13 12:58] – rplecko
+++ networking:mikrotik:hairpin_nat [2021/05/19 17:30] (current) – rplecko
@@ Line 7: / Line 7: @@
 In the below network topology a web server behind a router is on private IP address space, and the router performs NAT (dst-nat) to forward traffic which was destined to its public IP address, to the web server behind it (on local network).
-[[http://wiki.pcsinfo.hr/lib/exe/detail.php?id=networking:mikrotik:hairpin_nat&media=networking:mikrotik:hairpin.png|{{  :networking:mikrotik:hairpin.png?700  }}]]
+[[http://wiki.tuturutu.eu/lib/exe/detail.php?id=networking:mikrotik:hairpin_nat&media=networking:mikrotik:hairpin.png|{{  :networking:mikrotik:hairpin.png?700  }}]]
 **The NAT configuration would look like below:**
@@ Line 37: / Line 37: @@
 ^02|192.168.0.1|192.168.0.100|the router destination NATs the packet to <fc #ff0000>192.168.0.100</fc> and replaces the destination IP address in the packet accordingly. The source IP address stays the same: <fc #ff0000>192.168.0.1</fc>.|
 ^03|192.168.0.100|192.168.0.1|the server replies to the client's request. However, the source IP address of the request is on the same subnet as the web server. The web server does not send the reply back to the router, but sends it back directly to <fc #ff0000>192.168.0.1</fc> with a source IP address in the reply of <fc #ff0000>192.168.0.100</fc>.|
-  - the client sends a packet with a source IP address of <fc #ff0000>192.168.0.1</fc> to a destination IP address of <fc #ff0000>1.1.1.1</fc> on port tcp/80 to request some web resource.
-  - the router destination NATs the packet to <fc #ff0000>192.168.0.100</fc> and replaces the destination IP address in the packet accordingly. The source IP address stays the same: <fc #ff0000>192.168.0.1</fc>.
-  - the server replies to the client's request. However, the source IP address of the request is on the same subnet as the web server. The web server does not send the reply back to the router, but sends it back directly to <fc #ff0000>192.168.0.1</fc> with a source IP address in the reply of <fc #ff0000>192.168.0.100</fc>.
 The client receives the reply packet, but it discards it because it expects a packet back from <fc #ff0000>1.1.1.1</fc>, and not from <fc #ff0000>192.168.0.100</fc>. As far as the client is concerned the packet is invalid and not related to any connection the client previously attempted to establish.
@@ Line 52: / Line 48: @@
 </code>
-|   ^Source IP address^Destination IP address|
-^Step - 01|192.168.0.1|1.1.1.1|
-^Step - 02|192.168.0.254|192.168.0.100|
-^Step - 03|192.168.0.100|192.168.0.254|
-^Step - 04|1.1.1.1|192.168.0.1|
 With that additional rule, the flow now changes:
-  - the client sends a packet with a source IP address of <fc #ff0000>192.168.0.1</fc> to a destination IP address of <fc #ff0000>1.1.1.1</fc> on port tcp/80 to request some web resource.
+|Step^Source IP address^Destination IP address^Description|
-  - the router destination NATs the packet to <fc #ff0000>192.168.0.100</fc> and replaces the destination IP address in the packet accordingly. It also source NATs the packet and replaces the source IP address in the packet with the IP address on its LAN interface. The destination IP address is <fc #ff0000>192.168.0.100</fc>, and the source IP address is <fc #ff0000>192.168.0.254</fc>.
+^01|192.168.0.1|1.1.1.1|the client sends a packet with a source IP address of <fc #ff0000>192.168.0.1</fc> to a destination IP address of <fc #ff0000>1.1.1.1</fc> on port tcp/80 to request some web resource.|
-  - the web server replies to the request and sends the reply with a source IP address of <fc #ff0000>192.168.0.100</fc> back to the router's LAN interface IP address of <fc #ff0000>192.168.0.254</fc>.
+^02|192.168.0.254|192.168.0.100|the router destination NATs the packet to <fc #ff0000>192.168.0.100</fc> and replaces the destination IP address in the packet accordingly. It also source NATs the packet and replaces the source IP address in the packet with the IP address on its LAN interface. The destination IP address is <fc #ff0000>192.168.0.100</fc>, and the source IP address is <fc #ff0000>192.168.0.254</fc>.|
-  - the router determines that the packet is part of a previous connection and undoes both the source and destination NAT, and puts the original destination IP address of <fc #ff0000>1.1.1.1</fc> into the source IP address field, and the original source IP address of <fc #ff0000>192.168.0.1</fc> into the destination IP address field.
+^03|192.168.0.100|192.168.0.254|the web server replies to the request and sends the reply with a source IP address of <fc #ff0000>192.168.0.100</fc> back to the router's LAN interface IP address of <fc #ff0000>192.168.0.254</fc>.|
+^04|1.1.1.1|192.168.0.1|the router determines that the packet is part of a previous connection and undoes both the source and destination NAT, and puts the original destination IP address of <fc #ff0000>1.1.1.1</fc> into the source IP address field, and the original source IP address of <fc #ff0000>192.168.0.1</fc> into the destination IP address field.|
 The client receives the reply packet it expects, and the connection is established.